Hi Splunkers, today I noted a behavior I don't understand and I'm here to ask you help me.
On a customer environment, we have some data (Forcepoint one) that reach a HF (so, a Splunk enterprise instance) and then are sent to a Splunk Cloud.
The collection method use a script that pulls logs and save them on a path, so the related data input is a Monitor one, which consinuosly monitor data pulled. It's look likes this in Monitor Input list:
For parsing, we are usin a sourcetype that seems to not work properly, because is not configured to extract csv data (logs are collected by script as csv files). So, to avoid to change it in a testing phase, we:
- configured another sourcetype
- Configured another index
- In custom sourcetype properties, we set the Indexed Extraction to csv
- Finally, we associated the new sourcetype and new index to monitor input.
The thing that happen and I don't understand is this one: if we perform this change, all .csv logs file starts to be listed in monitor input list and the associated app becomes splunk_instrumentation:
In above screen I captured only last csv files is present, but if I leave this configuration many other will follow (all the one captured by script). Why this happen? It's related to Indexed Extraction properties of custom sourcetype?
